#####################################################
# Exploit Title : TCLlib arbitrary TCL execution Vulnerability
# Author : Ashiyane Digital Security Team
# Date: 21/08/2015
# Tested On : Firefox - Win7
# Link Vulnerability:
# http://www.opensource.apple.com/source/tcl/tcl-87/tcl_ext/tcllib/tcllib/installer.tcl
# Researcher : Und3rgr0und
#####################################################
# Information:
#
# TCL uses objects called channels to read and write data. The channels can be created
# using the open or socket command. There are three standard channels available to
# TCL scripts without explicitly creating them. They are automatically opened by
# the OS for each new application. They are stdin, stdout and stderr.
# The standard input, stdin, is used by the scripts to read data.
# The standard output, stdout, is used by scripts to write data.
# The standard error, stderr, is used by scripts to write error messages.
#
#####################################################
# Vulnerability :
#
# The value of some unfiltered variable is used and evaluated with the GETs .
#
# If the external variable contains then arbitrary TCL execution is possible.
#
# The affected input variable:
#
# proc wait {} {
# global config
#
# if {!$config(wait)} {return}
#
# puts -nonewline stdout "Is the chosen configuration ok ? y/N: "
# flush stdout
# set answer [gets stdin]
# if {($answer == {}) || [string match "\[Nn\]*" $answer]} {
# puts stdout "\tNo. Aborting."
# puts stdout ""
# exit 0
# }
# return
# }
#
####################################################
# Line 6 :
#
# set answer [gets stdin]
#
####################################################
# Patch :
#
# set answer [gets $stdin]
#
# or
#
# set answer $stdin
#
#
####################################################
# Discoverd By : Und3rgr0und
####################################################